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Abstract. We introduce a new symbolic representation based on an original gen- 
eralization of counter abstraction. Unlike classical counter abstraction (used in the 
analysis of parameterized systems with unordered or unstructured topologies) the 
new representation is tailored for proving properties of linearly ordered param- 
eterized systems, i.e., systems with arbitrary many finite processes placed in an 
array. The relative positions in the array capture the relative priorities of the pro- 
cesses. Configurations of such systems are finite words of arbitrary lengths. The 
processes communicate using global transitions constrained by their relative pri- 
orities. Intuitively, an element of the symbolic representation has a base and a set 
of counters. It denotes configurations that respect the constraints imposed by the 
counters and that have the base as a subword. We use the new representation in 
a uniform and automatic Counter Example Guided Refinement scheme. We in- 
troduce a relaxation operator that allows a well quasi ordering argument for the 
termination of each iteration of the refinement loop. We explain how to refine the 
relaxation to systematically prune out false positives. We implemented a tool to 
illustrate the approach on a number of parameterized systems. 



1 Introduction 

We introduce in this paper an oiiginal adaptation of counter abstraction and use it for 
the verification of safety properties for linearly ordered parameterized systems. Typi- 
cally, such a system consists of an arbitrary number of identical processes placed in a 
linear array. Each process is assumed to have a finite number of states. The arbitrary 
size of these systems results in an infinite number of possible configurations. Exam- 
ples of linearly ordered parameterized systems include mutual exclusion algorithms, 
bus protocols, telecommunication protocols, and cache coherence protocols. The goal 
is to check correctness regardless of the number of processes in the system. 
Configurations of a parameterized system can be seen as finite words of arbitrary lengths 
over the finite set Q of process states. Processes change state using transitions that might 
involve global conditions. These can be universal or existential. Transition ^ below is 
constrained by a universal condition. It requires that a process (with array index) i may 
perform the transition only if all processes with indices j > i (i.e., to the right of i, 
hence Vr) are in states {qi , 92, 93} ^ Q. 

i : 95 ^ 96 : VR{gi,g2,'73} (1) 

An existential condition may require that some (instead of all) processes with indices 
j > i are in certain states. Regular model checking [18, 11] is an important technique 
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which has been used for the uniform verification of infinite state systems in general, and 
of linearly ordered parameterized systems in particular. This technique uses finite state 
automata to represent sets of configurations, and transducers (i.e., finite state automata 
over pairs of letters) to capture transitions of the system. Verification boils down to 
the repeated calculation of several automata-based constructions among which is the 
application of the transducers to (typically) heavier and heavier automata representing 
more and more complex sets of reachable configurations. To ease termination of these 
computations, acceleration jS], widening 081221 and abstraction ||9l methods are used. 

In order to combat this complexity, the framework of monotonic abstraction |4 3 1 uses 
upward closed sets (wrt. a predefined pre-order) as symbolic representations. This in- 
troduces an over-approximation, as sets of states generated during the analysis are not 
necessarily upward closed. The advantage is to use minimal constraints (instead of ar- 
bitrary automata) to succinctely represent possibly infinite sets of configurations. The 
approach typically adopts the subword relation as pre-order for the kind of systems we 
consider in this work. As a concrete example, if (75 G Q, then the word 55(75 would 
represent all configurations in {Q* qsQ* qsQ*) since q^q^ is subword of each one of 
them. The analysis starts with upward closed sets and repeatedly approximates sets of 
predecessors by closing them upwards. Termination is guaranteed using a well quasi or- 
dering argument fl6 |. The scheme proved quite successful 04I3I2I but did not propose 
refinements for pruning false positives for ordered systems like the ones we consider 
here. Resulting approximations are particularly inadequate when performing forward 
analysis, which can be more efficient ifTSl in general. 

In this work, we augment precision on demand by combining the use of minimal con- 
straints a la monotonic abstraction with threshold based counter abstraction. The idea 
of counter abstraction 021]7I13I171 is to keep track of the number of processes which 
satisfy a certain property. A typical property for a process is to be in a certain state in Q. 
A simple approach to ensure termination is then to count up to a prefixed threshold. Af- 
ter the threshold, any number of processes satisfying the property is assumed possible. 
This results in a finite state system that can easily be analyzed. If the approximation 
is too coarse, the threshold can be augmented. For systems like those we consider in 
this paper, automatically finding the right properties and thresholds can become very 
challenging. Consider for instance the transition ([T} above. It is part of Bums mutual 
exclusion algorithm, where qg models access to the critical section (see appendix). Sup- 
pose we want to compute the t-successors of configurations only containing processes 
in state (75. These are in fact reachable in Burns algorithm. Plain counter abstraction 
would capture that all processes are at state q^. After one step it would capture that 
there is one process at state qe and all other processes are at state (75 (loosing that q^ is 
at the right of all (75, if any). After the second step it would conclude that configurations 
with at least two gg are also reachable (thus violating mutual exclusion). Observe that 
augmenting a threshold would not help as the problem is inherent to the loss of informa- 
tion about the relative positions of the processes. Upward closure based representations 
will also result in a mutual exclusion violation if used in forward on this example. Sup- 
pose we use (7555 as a minimal constraint. Upward closure wrt. to the subword relation 
would result in the set [Q* q^Q* q^Q*) which also allows two processes at state q^ to 
coexist. Even when using the refined ordering of t3j|, upward closure would result in 



{{qs}* q5 {<?5}* <?5 {^s}*)- After one step, the obtained ({95}* 95 {95}* 96) will be ap- 
proximated with ({55, 96}* 95 {95, 96}* 96 {95, 96}*). again violating mutual exclusion. 
Approximations are needed to ensure termination of the analysis. Indeed, without ap- 
proximation, one would have to differentiate infinite numbers of sets, like the sequence 



({95}* 96), ({95}* 96 {95}* 96), ■ • ■ ({95}* 96 {95}* • ■ • {95}* 96) 



(2) 



The idea of this work is to combine threshold-based counter abstraction together with 
upward closure techniques in order to gain precision while still ensuring termination. 
To achieve this, we introduce the notion of a counted word. A counted word has a base 
and a number of formulae (called counters). Like in monotonic abstraction, a base (a 
word in Q*) is used as a minimal element and denotes all larger words wrt. the subword 
relation. In addition, the counters are used to constrain the denotation of the base. We 
associate two counters per state in the base. For each state, one counter (called left 
counter) constrains Parikh images of allowed prefixes to the left of the state, and the 
other (called right counter) constrains Parikh images of allowed suffixes to the right of 
the state. For example ({95}* 96), which cannot be captured by usual upward closure 
or counter abstraction techniques, is captured by the counted word ^pi in the sequence: 
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and to ({(75} 96) by the left counter 

can then be captured by the counted words ipi, (p2, . ■ .fi. This gain in precision comes 
at the cost of termination. We therefore use a family of relaxations. Each relaxation 
comes with thresholds associated to each state in Q. If a counter requires [vq = k) 
with k larger than the threshold imposed by the relaxation, we weaken {vq = k) into 
(vq > k). Using a well quasi ordering argument, we show that this is enough to ensure 
termination of the analysis that relaxes all manipulated counted words. If the relaxation 
is too coarse and generates a spurious trace, we propose a mechanism to detect states 
the thresholds of which need to be increased in order to get rid of the spurious trace. The 
scheme can be used both in forward or in backward analysis in order to check reach- 
ability of sets of configurations. We tried the approach on a prototype implementation 
and obtained encouraging results on a number of mutex algorithms. 



Related work. Other verification efforts with a termination guaranty typically consider 
decidable subclasses B1I13I12L or use approximations to obtain systems on which the 
analysis is decidable H7|2| and II21II0 201. For example, the authors in |12| propose 
a forward framework with systematic refinement to decide safety properties for a de- 
cidable class. The problem we consider here is undecidable. The authors in [|20l use 
heuristics to deduce cut-offs in order to check invariants on finite instances. In II2TII the 



authors use counter abstraction and truncate the counters in order to obtain a finite state 
system. This might require manual insertion of auxihary variables to capture the rela- 
tive order of processes in the array. Environment abstraction |10| combines predicate 
and counter abstraction. This allows it to handle systems where processes manipulate 
infinite variables (e.g. identifiers). It also results in what is essentially a finite state ap- 
proximated system. Hence, it can require considerable interaction and human ingenuity 
to find the right predicates. Our approach handles linearly ordered systems in a uniform 
manner. It automatically adds precision based on the spurious traces it might generate. 

Outline. Section (|2|l gives some preliminaries and defines parameterized systems. Sec- 
tion (|3]l describes the verification problem we target, and Section (|4|i introduces a generic 
verification to solve it. Section (|5]l introduces counted words and Section (|6]l uses them 
to instantiate the verification algorithm. Section Q describes the experiments we per- 
formed and Section (|8]l concludes. Proofs and details of the examples are in the ap- 
pendix. 

2 Preliminaries 

We use N for the set of natural numbers. For a natural number n, we use n to mean 
the set {!,..., n}. We let 2J* be the set of finite words over U, w ■ w' be the con- 
catenation of the words w and w', e be the empty word, and w ill w' he the shuffle set 
{w"\ w" — wi ■ w'l ■ W2 ■ ■ ■ wj„ sX w — wi ■ ■ ■ Wn, w' = w[ ■ ■ ■ Fix a word w = 
CTi • • • (Tn- We write |w| to mean the size n, to mean the word ai ■ tXi+i • • • aj, 

W[i] to mean the letter ai, hd{w) to mean the letter ai, and tl{w) to mean the suffix 
W[2^n] - We write w* to mean the set {ai, . . . , cr„} of letters appearing in w. A multiset 
m is a mapping — > N. We write m C m' to mean that m is included in m', i.e., 
that Ao-g^m((T) < m'{<T). We write m ® m' to mean the union of m and m', i.e.. 
Acre 2; (m m'){a) = m{a) + m'{a). If m' C m, then the multiset to G m' is defined 
and verifies, for each a in S, (rnQm'){a) = m{a) — m'{a). It is undefined otherwise. 
The Parikh image w"^ of a word w is the multiset that gives the number of occurrences 
in w of each letter a in S. Given a set S and a pre-ordeio ^ on 17, a {S, ^)-antichain is 
an infinite sequence cti, CT2, . . . of elements of U, with tJi ^ a-j if i < j. A pair 
is a well quasi ordering if there are no {S, ^)-antichains. 

3 Parameterized Systems with Global Conditions 

Formally, a parameterized system is a pair V = (Q, T), where Q is a finite set of local 
states and T is a finite set of transitions. A transition is either local or global. A local 
transition is of the form q q' . It allows a process to change its local state from q 
to q' independently of the local states of the other processes. A global transition is of 
the form q ^ q' : QP, where Q e {^l,^r, Vl, Vr, Vlj?} and P C Q. Here, the 
process checks also the local states of the other processes when it takes the transition. 
For instance, the condition VlP means that "all processes to the left should be in local 



' i.e., a reflexive and transitive binary relation 



states which belong to the set P"; the condition VlrP means that "all other processes 
(whether to the left or to the right) should be in local states which belong to the set P". 
Given Q and T, a parameterized system V = {Q,T) induces an infinite-state transition 
system (C, — >) where C = Q* is the set of configurations and — > is a transition 
relation on C. For configurations c = Ciqc2, c' — Ciq'c2, and a transition < e T, we 
write c — >t c' to mean that one of the following conditions is satisfied: 

- < is a local transition of the form q ^ q'. 

- i is a global transition q ~> q' : QP, and one of the following conditions is satisfied: 

• either QP = 3lP and ci' D P ^ 0, or QP = 3rP and ca* n P 7^ 0, or 
QP = 3lrP and (ci* U C2*) n P ^ 0. 

• or QP = VlP and a' C P, or QP = VrP and cj* C P, or QP = ^lrP and 

(C1*UC2*)CP. 

We write — > to mean UtgT — and use to denote the reflexive transitive closure 
of — > . Given a parameterized system, we assume that, prior to starting the execution of 
the system, each process is in an (identical) initial state pinit ■ We use Init to denote the 
set of initial configurations, i.e., configurations of the form pinu ■ ■ ■ Pinit (all processes 
are in their initial states). Notice that the set Init is infinite. It can be shown, using 
standard techniques (see e.g. f23l), that checking safety properties (expressed as regular 
languages) can be translated into instances of the reachability problem. The reachability 
problem for parameterized systems is defined as follows: 



REACH-PAR 




Instance 




- A parameterized system V 




- A (possibly infinite) set Cp 


of configurations. 


Question Init Cp ? 





4 A Generic Refinement Scheme 



V) 



We introduce in this Section a generic scheme for solving the reachability problem of 
Section (O. The problem is undecidable in general. The scheme we introduce uses over- 
approximations to deduce unreachability. Each time the approximated analysis exhibits 
a sequence from the initial to 
the final configurations (i.e., 
a trace), we automatically 
follow the sequence in the 
original system. If it is possi- 
ble we return it as a proof of 
reachability. Otherwise, the 
trace is a false positive and 
we automatically strengthen 
the approximation in order to 

prune the trace (Figure dl}). Fig. 1. A Generic scheme. 
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Algorithm 0: Reachability Analysis 
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Requirements on a symbolic representation. A symbolic representation § permits to 
denote and to manipulate possibly infinite sets of configurations of a system {Q,T). 
For an element e in S, we write |e] to mean the set of configurations denotecQby e. We 
write I{ei, . . . e„}] to mean IJ^,- j^^-j |ei]. In addition, we require that § verifies that: 

1. We can effectively check whether e' entails e (write e e')- We require that 
CIs is reflexive and transitive, and that e Cg e' implies |e'] C |e]. We write 
{ei, . . . e„} Cg {e'l, . . . ej„} to mean that for each j I < j < m there is an 
Bi such that Ci Cg e'y In this case, observe that |{e'j, . . . ej^j}] C |{ei, . . . e„}]. 

2. We can effectively compute e fig e' = {ei, . . . e„} s.t. |e] n |e'] = |e □§ e']. We 
simply let {d, . . . e„} □§ {ei, . . . ej„} be the set U(j ianj mm) (e^ ng e'j). 

3. Dg is a set of effective relaxation operators. Each such operator V : § — > S verifies: 

(a) for each e in §, V(e) e, and 

(b) if e Cg e', then V(e) Cg V(e'), and 

(c) there are no (§, Cg)-antichains, i.e., (§, Cg) is a well quasi ordering. 

4. S is an effective separation operator s.t. given finite {ei, . . . e„} and {e'l, . . . e^j 
with ({ei, . . . e„} □§ {e[, . . . ej„} — 0), and given a relaxation V in Dg witqj 
(V({ei, . . . e„}) ng {e'l, ---e'^} ^ 0), then S({ei, . . . e„} , {e'^, . . . e'^} , V) re- 
turns a stronger relaxatioiu V in Dg with (V'({ei, . . . e„}) □§ {e[, . . . e^} = 0). 

5. There are finite subsets Ejnit and Ecp such that |-E/„itJ = Init and liS'cFl = ^f- 

6. For each t in T and e in §, 

(a) we can effectively compute sets postj(e) and prej(e) such that [[postj(e)] = 
{c'l c — >t c' s.t. c in |e]} and |prej(e)] = {c'| c' — >t c s.t. c in |el}. 

(b) if e Cg e', thenpost((e) Cg post((e') andpre((e) Cg prej(e') 

Requirements (1, 5, 6) are natural. Requirements (2, 3.b,4) are needed by Algorithm©, 
where (3.b) ensures the same trace is not encountered more than once. Requirement 
(3. a) is important for soundness of Algorithm ([T}, and requirement (3.c) guarantees its 
termination. We use § to implement the scheme of Figure ([TJ. 

The reachability checking algorithm. Algorithm ([U is a classical working list algo- 
rithm. It manipulates pairs (e, r) of constraints and traces. A trace r wrt. to a relaxation 
V (or a V-trace for short) is a sequence cq ■ ti ■ 62 ■ ■ ■ e^ of § elements {eo, . . . Cm} 
and of transitions {ti, . . . /;„,} in T, such that eo in Ejnu and e^+i S V(post(.^^ (e^)) 
for each i : < « < m. Each manipulated pair is of the form (e„i, eg • ii • • • em)- The 
Algorithm maintains two sets W (working set) and V (visited set) such that {W U V) is 
minimajfl The set W collects pairs (e, r) where postj(e) has still to be applied for each 
t ^ T. The set V collects pairs (e, r) where postj(e) has already been applied for each 
transition t in T. Initially, no element of § is visited, and all members of Ejnit (assumed 
minimal) are added to the working set (line (1)). If there is a pair (ec, r) in the working 
set, it is first removed from W (line (3)). If its denotation intersects Cp, then we found 
a trace in the over-approximated system from the initial to the final configurations. In 
this case, the Algorithm returns r as a proof of reachability (lines (4,5)). Otherwise, the 
pair is added to the visited set (line (6)) and post((ec) is computed for each t in T. Each 

^ to simplify, we assume [e] 7^ for each e in § 

^ we write V({ei, . . . e„}) to mean the set {V(ei), . . . V(e,„)}, and let V({}) = {}. 
* V' is stronger than V if V(e) Cg V(e) for each e in S 
^ {ei, . . . e„} is minimal if ei gs ejifi^ j. 



element in post((ec) is re- 
laxed (line (8)) before being 
added to the set Newt- This 
relaxation is at the source of 
imprecision and will guar- 
antee termination. Elements 
of NeWf are pruned away 
if they do not add new con- 
figurations. Otherwise, they 
are used to remove redun- 
dant elements of V U W 
before being added to W 
together with their updated 
traces (lines (11,12)). 



Algorithm 1: The reachability checker 

input : i?7,jit and Ec"^ , operators post^ (.) and pre^ (.) for each 

t G T, and a relaxation V 
output: a/raec (eo • ti ■ 62 • t2 ■ • • em) with {e™} Hg Ecp / I 

or unreachable 

1 W := {(e,e)| ein Ei„,t},V := {}; 

2 while (W ^ {}) do 
Pick and remove a pair {e^, r) from W; 
if ({ec} ns Ecp # 0) then 

I return r; 

V := {(ee,T)} U V ; 
foreach t G T do 

Newt := {V(e)| e S postj(ee)}; 
foreach e G Newt do 

ifV(e„i<j:T-„,d) G WU V. e^id & e then 
" V := {(e„,d, Toid)! (e„,d, Tojd) S V A e e^ia}; 
W := {(e, T • t • e)} U 

{(cold, r„id)| {eaid,Taid) e WAe gs eoj^} 
13 return uiireachaiile; 



Lemma 1 (reachability). AZgor/f/im (|7} aZwoyi terminates. If it returns unreachabl e, 
then {Init Cp) does not hold for the parameterized system V — {Q,T). Other- 
wise, it returns a trace eo • ti • ei • ■ ■ Cm with eg G Ejnit, {em} Hg Ecp 7^ 0, and 
Ci+i e "S/ {post ^^^^{ei)) for each i : < i < m. 



Algorithm 2: The trace analyzer 



input 



! V-trace (eo ■ ti ■ e2 ■ 
{e„} Hs Bcf 7^ 
outputi reachable with input trace, or 
relaxation operator V ' 

1 Current := {e^} tig Ecp\ 

2 foreach i = m — 1 to do 
Predecessor : — 



) with 



(Ue 



! pre* 



Ae))ng {e.}; 



r/ie frace analyzer Algorithm ^ simulates a 
trace backward^ in order to check its possi- 
bility in the original system. Only the approxi- 
mation resulting from the applications of the 
V relaxation can result in the analyzer fail- 
ing to follow the supplied V-trace. If this hap- 
pens (lines (4) or (10)), the analyzer relies on 
the separation operator (lines (5) and (11)) to 
supply a stronger relaxation operator that will 
prune the trace in future analysis. Otherwise, 
the analyzer will manage to reach the initial 
configurations (line (8)). In this case, it returns 
the trace as a proof of reachability (line (9)). 

Lemma 2 (Refinement). Given a V-trace t = cq ■ ti ■ ■ ■ em with {e„i} □§ Ecp 7^ 0, 
Algorithm (|2| terminates. If it returns {reach, r), then there are cq, . . .Cm in C, with 
Co € Init, Cm^Cp and s.t. Ci — >ti-^i Ci+ifori : < i < m. Otherwise, it returns a 
stronger relaxation V such that no relaxation V" that is stronger than V' can have a 
V -trace e^ ■ t\ - • ■ e'm with {e^} □§ Ecp 7^ and where ei Cg e'^for i : < i < m. 

By combining Lemmata ([T]) and ^ and the requirement that S returns a stronger re- 
laxation operator, we get correctness of the Algorithm depicted by Figure ([TJ. 

Theorem 1. Each iteration of the Algorithm depicted in Figure ([T]) terminates. If it re- 
turns unreachable, then Init Cp does not hold. If it returns {reachable, t), 
then Init Cp via the transitions in r. In addition, no trace is generated twice. 



\i (Predecessor — J then 
I return H'(postj. (ci), Current, V) 
else Current := Predecessor 

7 Inter :— Current rig Ejnit', 

8 if Inter ^ then 

9 I return reachable, r 

10 else 

11 I return S ( { eo } , Emu , V ) 



' here in a forward analysis. For a backward analysis, switch Ei„it, Ecp , post, j(.),prej ■)(.) 
respectively with Ecp , Einit,pre^ post^ j (.) in both Algorithms ([TJ and (|2). 



5 Counted Words 



Counters. We fix a finite set of variables Vq. We define in the following the set of coun- 
ters C over Q. The set Vq is in a one to one correspondence with Q. Each variable v is 
associated to a state q in Q. We write Vq to make the association clear. Intuitively, Vq is 
used to count the number of occurrences of the associated letter q in a word in Q*. A 
counter basically captures multisets over Q by separately imposing a constraint on each 
state in Q. Indeed, we define a counter cr to be a conjunction [A^gg (uq ^ k)] where ~ 
is in {=, >}, each Vq is a variable ranging over N and each A: is a constant in N. For a 
state q in Q, we write cr{q) to mean the strongest predicate of the form {vq ~ k) implied 
by the counter cr. We write cvq to mean the counter [Ag.gQ(tig. — bq- )] with bn, equal 
to 1 for qi = q and to otherwise. A substitution is a set {vi -s— ui, . . .} of pair^ where 
til, ... are variables, and ui, ... are either all variables or all natural numbers. Given a 
counter cr and a substitution S, we write cr[S] to mean the formula obtained by replac- 
ing, for each pair Vi ^ Ui, each occurrence of Vi in cr by Ui. We sometimes regard a 
multiset m as the substitution {vq m{q) \ qin Q}. For a counter cr and a multiset m, 
the formula cr[m] takes a Boolean value. In the case where it evaluates to true (resp. 
false), we say that m satisfies (resp. doesn't satisfy) the counter cr. Given a word w in 
Q* and a counter cr, we abuse notation and write cr[w] to mean that (w*) satisfies cr. 
For a counter cr, we write |cr] to mean the set {w\ cr[w] and w E Q*}. We define the 
precision of a counter cr, written Hi{cr), to be the multiset that associates to each state 
q 'mQ the value if cr{q) — {vq > k), and fc -|- 1 if cr{q) = (vq = k). Observe that 
if K{cr){q) 7^ for all q G Q, then cr accepts a single multiset, while if K{cr){q) = 
for all q G Q, then cr accepts an upward closed set of multisets (wrt. C). For a natural 
number k, we write to mean the set {cr| K{cr){q) < k for each q e Q}. 

Example 1. Assume a counter cr — [va = Q fwh — 2 A Vc > 1]. The following holds: 
K(cr)(a) — 1, Mi{cr){b) = 3, and «:(cr)(c) = 0. In addition, cr is in C3. 

We use _Lc to mean [false] (iJ-cj = 0) and Tc to mean [Aqeqivq > 0)] (|Tc] = Q*). 
We assume two counters cr and cr' and define a number of operations on them. 

- The meet cr He cr' is the conjunction cr A cr' of the two counters. The denotation 
of the meet |cr Flc cr'] is the intersection of the denotations |cr] n |cr']. 

- The counter cr' is said to entail the counter cr (we write cr Cc cr') if cr' implies 
cr, i.e, cr' cr. Observe that cr Cc cr' means |cr'] C |cr]. 

' ""^'^ ) ■ I A = 1-;, + I A cr[S'] A cr'[S"] (3) 

^ ("91 ' ""1 ■ ■ ■ '"L ' "9'") ■ A = '"'n ~ Ki ^ > A cr[S'] A cr'[S"] (4) 

- The sum cr 0c cr' is the conjunction obtained in ([3]), with S" = f^l 9 G Q} 
and S"' = ^ u^'l (7 € Q}. Intuitively, |cr ®c cr'] coincides with the shuffle set 
{wLUw'\w G |cr] and w' € |cr']}. In fact, (cri ©ccr2)[m] iff there are multisets 
TOi, 7712 with TO = TOi © TO2 and s.t. cri[TOi] and cr2[m2\. 

^ we assume variables appearing to the left are distinct, i.e. Vi 7^ Vj if i 7^ j. 



3 (■%,<; ■■■ 



- In a similar manner, the difference cr Gc cr' is the conjunction obtained in (|4]l, 
where S", S" are defined as above. Intuitively, cr 0c cr' denotes words that can be 
shuffled with a word from |cr'] to obtain a word in \cr\. That is, |cr Gc cr'] is 
{w\ w LU w' e |cr] and w' E |cr']}. In other words, (cri Gc cr2)[TO] iff there are 
multisets mi and m2 with m = mi G m2 defined and s.t. cri[mi] and cr2[m2]. 

Lemma 3. For any k G N, (C^, Cc) is a well quasi ordering. In fact, from every infinite 
sequence (cri, cr2, . . .), we can extract an infinite subsequence {cri-^ \—c cri^ Cc ■ ■ ■)■ 

Counted words. A counted word is any member (/3 in (C x Q x C)*. If {l,q,r) G 
(C X Q X C), we write (Z, q, r)^^ to mean q. Assume (p — {li, qi,ri) ■ ■ ■ {In, qn, fn) is 
a counted word. The base of ip (written tp) is the word qi ■ ■ ■ qn Q* . We write lc{Lp) 
(resp. rc{Lp)) to mean the counter Tc if (p = e, and h (resp. r„) otherwise. We refer to 
li, . . .In (resp. ri, . . . r„) as the left (resp. right) counters of (p. The counted word ip is 
well formed if li[{f)^^ ^ j^j] and ri[{(p)^^_^^ ^j] for each i : 1 < i < n. We assume e is 
well formed. Example (|2]l depicts a counted word. Well formedness imposes predicates 
in the counters are of a certain form. This is captured by the following lemma. 

Lemma 4 (Well formedness). A.wMme a counted word p — (Zi, <Zi, ri) •••(/„, q„, r„). 

For each i : I < i < n, let p\ ^ andp\ = (Mfj+i.,,])"^- Then: 

• isac/i ^^((7) equals {vq = {p\{q))) or {vq > k) for some fc /« |0, . . . 

• Each ri{q) equals (vq = {Pi{q))) or {vq > k) for some k in {0, . . . (pliq))}- 

Denotation. Given a word w — qi ■ ■ ■ qn and an increasing injection h : n m, we 
write w p to mean that all following three conditions hold for each i : \ < i < n 

i) fli] = w[h{i)], and ii) Zi(w[iji(i)_i]), and iii) 

fi{'u^[h{i)+i,n])- Intuitively, there is 
an injection h that ensures (p is subword of w, and s.t. words to the left and right of 
each image of h respectively respect corresponding left and right counters in tp. We 
write w \^ p> if w p> for some injection h, and \(p\ to mean \w\ w \= ip}. We 
let |e] = Q* . Observe that every well formed word has a non-empty denotation since 
(p \= (p. We use CW to mean the set of well formed counted words. 

Example!. ^ = ,a, [;,;|°o] ) ( [ a.", ='0] ' [a.", >°o]) ™d M = aab* . 

Entailment. For (p = (^i, gi, ri) • • • (/„, q„, r„) and (p' = {l[,q[,r[) ■ ■ ■ r[,J, 
we say that tp is entailed by p' if p> Ccw some injection h : n ^ m; where 

V !=cw f' requires for each i : 1 < i < n, that the following three conditions hold: 

^[i] = ^[/i(i)]' -"C ^Mi)' ^"'^ ''^ -"C "^Ht)- ^"'^ -CW to mean that 1^ 
is entailed by ip' . Observe that > 0], a, [va = 0]) ^cw = 0], a, > but 

[([-.>o],a,[.„=o])] = |([.„=o],a,[.„>o])]. 

Lemma 5 (Entailment). The relation Ccw is both refiexive and transitive. In addition, 

tp Ccw H^' implies \tp'\ C \p\ 



Bounded precision. We define the precision of a well formed word as a multiset 
k{(p). It associates to each q the natural number max {K{cr){q) \ cr is a counter in Lp}. 
In Example Q for instance, K((p)(a) = 2 and K{(p){b) = 1. We say that a counted 
word (fi has a fc-bounded precision if all its counters are in Cfc. For example, counted 
words with a 0-bounded precision only have inequalities in their counters (they denote 
upward closed sets with respect to the subword ordering). We write CWfe to mean the 
set of well formed counted words that have a fc-bounded precision. 

Theorem 2 (WQO). For any fixed fc G N, (CWfc, Ccw) is a well quasi ordering. 

Strengthening of well formed words. Counters in a counted word are not independent. 
Consider for instance (p = {li, a, ri){l2,a, in Example (|2]i. We can change li{b) to 
(uf, — 0) without affecting the denotation of (p. The reason is that any prefix accepted by 
li will have to be allowed by 12- It is therefore vacuous for li to accept words containing 
6, and more generally to accept more than I2 Gc cr^. Also, observe that I2 and r2 imply 
we can change ri{a) from {va > 0) to (va = 1). We strengthen the counters of a well 
formed word by applying in any order rules in Figure (2) until a fixpoint is reached. 

•Pp ■ {l,q,r) ■ {l',q',r') ■ ip^ tpp ■ (l,q, r) ■ {V , q' , r') ■ tp ^ 

right right' 



ipj, ■ (l,q,r r\ r") ■ {V ,q' ,r') ■ ips ipp ■ {I . q, r) ■ (I' , q' , r' H (r Gc cr^,)) ■ ip 

Vp ■ {l,q,r) ■ (l',q',r') ■ ip^ cpp ■ {l,q, r) ■ {V ,q' ,r') ■ tp. 



• (/ n (/' ec erg), q,r) ■ (I' ,q' ,r') ■ ips ipp ■ (l , q, r) ■ {(I' n I") , q' , r') ■ ips 



Fig. 2. Strengthening rules for counted words. The counter r" in rule right equals r' ©ccr,/ ©c 

[l' Qc {I ®c crq)), and the counter /" in rule left' equals I ©c cr, ©c (r 0c {r ©c cr,/)). 

Lemma 6 (Strengthening). Given a well formed word ip, the strengthening procedure 
terminates and yields a unique well formed word (p' s.t. \ip\ = and (p Ccw ■ 

Let sew (resp. SCWfe) be the set of strengthened words in CW (resp. in CWfc). We 
will use sew as a symbolic representation for the generic scheme of Section (|4|i. 

6 Instantiation of the Refinement Algorithm 

We instantiate the scheme of Section (|4|i using the set §CW as a symbolic representa- 
tion. For this, we define a family of relaxation operators, show how to compute succes- 
sors and predecessors on SCW, and describe both meet and separation operators. 

Relaxation. We use the notion of relaxing a counted word ip wrt. a resolution (in this 
context, a multiset) p. First, given a counter cr, relaxation of cr wrt. to p, written 
Vp(cr), is the counter [/\qinQ{vq ~ k)] s.t. [vq ^ k) is equal to [vq = k) if cr{q) 
was [vq = k) with k < p{q), and equal Xo Vq > k otherwise. In other words, relax- 
ation does not keep track of equalities larger than what is allowed by the resolution. 
Relaxation of a counted word ip wrt. a resolution p is simply the word V p{(p) obtained 
by strengthening the word resulting from relaxation of all counters in p wrt. p. We let 
nscw be the set {Vp| p is a multiset over Q}. 



Lemma 7 (Relaxation). Given tp in CW and resolutions p C p' , we have: Vp(iy9) Ccw 
Vp'(iy9) Ccw (pandVp{(p) is in SCW„iax(a.2k-i) with k — max {p{q) \ q in Q}. 

Post and Pre operators. First, we define an operator q (E) (f that takes a strengthened 
well formed word ip and a state q and returns all tuples {(pi, {l,q,r),(p2) s.t. either 
ip = ipi- {I, q,r) ■ip2, or if = ipi-ip2 witljlg G cxt{rc{pi)) H cxt{lc{p2)), I = lc{ip2), 
and r = rc(v3i). If ((/^i, (/, g, r), (^2) is in g (g) then Ccw (v'l ' (^9, ^) ' '^2). 
Intuitively, if it is possible to place the state q in some position in (p, there will be a 
tuple {ipi, {l,q,r),p2) in 9 to capture that. In addition, for P C Q, we write Op 
to mean the counter [Aq^p{vq = 0) A Aq^p{vq > 0)]. We describe how to compute 
postj((p) and pref{Lp) for a transition t E T and a word in SCW. For each local 
(q — > q'), or global (q ^ q' : QP) transition t, the set post^{p) is the smallest set 
containing strengthenings of all words (p[ ■ {l',q',r') ■ (p'2 that satisfy the following. 
There is a tuple (.^1, {l,q,r),(p2) in q (g) ip s.t. ipi = {li,qi,ri) ■ ■ ■ (/„,(7„,r„) and 
f2 = {l„+i,q„+i,rn+i) ■ ■ ■ {lm,qTn,rm), and: 

1. Either < is a local transition q — >• q', and ip[ = {li,qi,r[) ■ ■ ■ (/„, (7„, r^) and 1^92 = 
(Z^^i, g„+i, r„+i) • • • (V^, q„i,r.m) with = ®c cr,/ Qc cr, for each i : 1 < 
i < n, and = k 0c cr^/ Gc cr^ for each i : n + 1 < i < m. Also, Z ~ I' and 
r — r'. Intuitively, we update the right counters of ipi and the left counters of ip2 
by requiring from all accepted multisets to have one less q and one additional q', or 

2. t equals q ^ q' : ^lP, s.t. (gi • • • (7„)* C F and Lp{ = (Z'^, qi, r'^) • • • (/^, (j„, r^), 
r = Z ns Oq\p, r' = r, and ip'2 = (Z^+i, g„+i, r„+i) • • • g,„, r,„) with = 
h Hg Oq\p and r[ — ri ©c cr^/ Qc cr^ for each j : 1 < i < n, and l[ = k ©c 
crq' Gc erg for each i : n + 1 < i < m. Intuitively, we check first that there is at 
least a (possibly empty) prefix in P. If it is the case, we require that all accepted 
multisets to the left of q only contain states in P. In addition, we update the right 
counters of pi and the left counters of (p2 like in the previous case, or 

3. t is of the form q ^ q' : 3lP, there is a tuple {(p", {I" ,p, r"), 1^2) inp ^ (pi with 
(^'/ • (/",p,r") . ^'2' = (r/,<z'/,r'/) . . . (C.,9™",C„), and ^[ = {l'l,q'{,r'{ (Be 
crq' Qc crq) ■ ■ ■ {l'^„,qm",r'^„ ©c cr,/ ©c cr,) and ip'^ = (/J^+i ©c cr^/ ©c 
crq, g„+i, r„+i) • • • (C ©C cr,/ ©c crq, r^). Also, / = /' and r = r' . Intu- 
itively, we make sure there is a witness p in P to the left of q. Then, we update the 
counters like for the first case. 

The cases q q' : QP where QP is of the form VrP or V^pP are similar to case (2), 
and those where QP is of the form 3pP or B^pP are similar to case (3). Also, we let 
pretM bepost(^,^^)(^) if t = (q ^ q') andpost(^,^^^Qp)(^) ift={q^q' : QP). 

Lemma 8 (Post and Pre). Given a strengthened word ip and a transition t we can 
compute a set of words post^{ip) (resp. pre^{p)} such that post^{ip) Ccw post^{(p') 
(resp. pref.{ip) Ccw prefif')) if ^ l^cw f'- In addition, |posf( ((/?)] and \pre^{tp)'\ 
respectively equal {c'| c — >t c' with c in \pW, and {c'| c' — >t c with c in |<p]}. 

Meet of counted words. Given 'p,if' m SCW, we strengthen the result of Procedure ( |zip) 
and obtain a set p Flew y^' of counted words that entail both tp and p' and whose denota- 
tion coincides with \ip\ n \'p''\. The procedure builds a constrained shuffle of ip and Lp' . 

* we write cxt(cr), for a counter cr, to mean the set {g| K.{cr){q) = 0}. 



takes as arguments 
five counted words 



Procedure zip(z, ip:s), ip':s')) 



s')) 



1 collect :— ; 

2 if [s ^ e) then 

3 I if (hrf(s)^j G {cxt{rc(p')) D cxt(lc{s')))) then 

4 I I collect U := zip((z • ((p • /id(s)) : t;(s)), (p' 

5 if (s ^ e A s' ^ e) then 
■ it{lc{hd{s)) Hs lc(hd(s')) =f _Lc) A (hd{s)^^ = hd{s')^^) A 

{rc(hd(s)) Hs rc(/td(s')) # J-c) then 

' e := (lc{hd{s)) Hg lc{hd{s')),hd(s) ^^,rc{hd(s)) Hs rc(/i(i(s'))); 
collect U := zip((2 ■ e) : ((p • hd{s)),tl{s)) : 
Hp' ■ hdis')),tlis'))) 

9 if (s' ^ e) then 

10 I if (hrf(s')^j e (cxt(rc(p)) n cxt(Zc(s)))) then 

11 I I collect U := zip((z • /id(s')) : (p, s) : ((p' • /id(s')), ti(s'))) 

12 if (s — 6 A — e) then 

13 I collect :— {z} 

14 return collect; 



z, p, s, p', s', with 

= {p ■ s) and 

= (p' • s'). We 
write (z, {p : s), {p' : 
s')) for clarity. Intu- 
itively, each call tries 
to complete the first 
argument z in order 
to obtain a word that 
entails both {p ■ s) 
and {p' • s') . The pro- 

cedure starts with (e, (e : (p), (e : Lp')) and collects all such words z. At each call, 
it considers contributions to z from hd{s) (lines (2-4)), hd{s') (lines (9-11)), or both 
hd{s) and hd{s') (lines (5-8)). Lines (2-4) capture the situation where a state in z is 
mapped to hd{s) and tolerated by p' (test at line (3)). Lines (5-8) correspond to a state 
in z simultaneously mapped to hd{s) and hd{s'). The words s and s' contain states that 
are stiU not treated. Termination is obtained with the ranking function \s\ + \s'\. The 



following lemma establishes correctness of Procedure (zip i 



Lemma 9 (intersection). Given (p,(p' in SCW, zip(e : {e,ip) -. (e, v?')) returns a set 

{(pi, . . . ipn} s.t. {(p^cw^i), {(p'QcwVi) for each i e n, andUii„nl(pij = {(pj H {ip'j. 



Separation operator. Assume strengthened words ip, p' and p s.t. (p Flew 'p' ~ 0) 

■but (Vp((/3) Hew p' ¥= 
. 0). We describe the op- 
erator S{{p},{p'},p). 
By Lemma (|9]), zip(e : 
{e,p) : {e,p')) = 
but zip(e : (e, p{p)) : 
(e, v?')) ^ 0- Operator 
^iW} : W'} : P) returns 
a stronger p' s.t. zip(e : 
{e,V,,{p)) : {e,p')) is 
also empty. First, we in- 
troduce the two operators 
reasons(g ^ cxt{cr)), 
reasons(cr He cr' = 
^-c), where q E Q and 
cr, cr' S C. The operator 
reasons(g ^ cxt{cr)) 
returns predicate {vq > 
K(cr){q)) if q ^ cxt{cr) 
and false otherwise. We 



Procedure augzip(z, {p:s), {p:s), (p':s')) 

1 collect, avoid :— 0, true ; 

2 if (s e) then 
if(/id(s)^j G {cxt{rc{p')) n cxt{lc(s')))) then 

c, V :— augzip((2: ■ hd(s)) : ((p - hd{s)), tl{s)) : 

((p-M(?)),ti(s)):(p',s')); 

collect U :— c; avoid A :— v; 

6 if (s ^ e A s' ^ e) then 

if ilc{hd{s)) Hg lc{hd{s')) / J_c) A {hd{s) ^ /id(s')^ J A 
(rc(/id(s)) Hg rc{hd{s')) / _Lc) then 
e :^ (/c{/i(i{s)) n@ lc{hd{s')),hd{s) ^^,rc{hd{s)) n% rc{hd{s'))) 
c, V : ^augzip((2: - e) : ((p ■ hd{s)), tl{s)) : ((p- ^id('s)), : 
Up' ■ hd(s')),tl(s'))); 
collect :— collect U c ; 
avoid A : — 

reasons(/c(/ic?(s')) Re lc{hd{s')) — _Lc) 
V reasons(rc(/id(s)) He rc{hd{s')) — _Lc) 
12 if {s' ^ e) tiien 

if (/ic;(s')^^ e {cxt{rc(p)) n cxt(lc{s)))) then 

c, V :— augzip((2: - hd(s )) : (p, s) : (p, "s) : ((p' ■ hd{s' )) , tl(s'))) 
collect :— collect U c ; 

reasons(/irf(s ^ cxt{rc{p))) 
V reasons(/id(s')^^ ^ ca;t(/c(s'))) 

17 if (s — € A — e) then collect :— {z} , false; 

18 returii(coilect, avoid); 



use this operator at line (16) of the Procedure |augzip| Intuitively, cr is a counter prior 
to relaxation. Relaxation allows q in the resulting context (test at line (13)). The idea 
is to collect possible requirements (hence disjunctions at line 16) for a resolution to 
forbid a meet. Here, by forbidding q to belong to the relaxed context if q did not be- 
long to the context prior to relaxation. If q was allowed by the context of the counter 
prior to relaxation, then no new resolution will forbid this by relaxing the counter The 
second operator reasons(cr Flc cr' — _Lc) achieves a similar result. It is used at 
line (11) and returns the conjunction {{vq > K{cr){q)) \ {cr{q) A cr'{q)) is false}. In- 
tuitively, cr is a counter prior to relaxation. The resulting counter after relaxation does 
meet the counter cr' (test at line (7)). If cr does not meet cr', the operator collects 
the bounds that failed the meet. These will be used as possible requirements (disjunc- 
tions at line (11)) on a new resolution to ensure that after relaxation, the new counter 
will also not meet cr', and hence fail the test at line (7). The Procedure augzip is an 



instrumentation of Procedure zip Indeed, zip(e : {e,'Vp{(p)) : {e,(p) : {e,ip')) mimics 
zip(e : {e,Vp{ip)) : {e,ip')). It tracks predicates on resolutions and builds an And-Or 
tree. Conjunctions at lines (5,1 1,16) reflect that no shuffle should succeed with the new 
relaxation. The formula avoid will only accept resolutions that forbid the intersection. 

Lemma 10 (separation). Asswme zip(e : {e,(p) : (e,ip')) returns an empty set. If 
zip(e : (e, Vp((^)) : (e, (/?) : (e,ip')) in Procedure \augzip\ returns the pair (_, avoid), 
then any resolution p' that satisfies {avoid[p']) ensures zip{e : (e, Vp^^^ ((/?)) : (e,<^'))) 
returns the empty set, with pmax{q) = max{p{q) , p'{q)) for each q in Q. 

S'({ei, . . . e„} , {e'l, . . . e^} , V) is obtained by choosing p' to satisfy each avoid(ij) 
resulting from zip(e : (e, Vp{ifii)) : (e, ^pi) : (e, ip'j)) for i : 1 < i < n and j : 1 < j < 
m. This is possible because each avoid(i denotes an upward closed set of multisets. 



7 Experimental Results 

We have implemented the scheme of Figure ([T]i in OCaml (prototype "Pcw" avail- 
able from the author's homepage) and run experiments on an Intel Core 2 Duo 2.26 
GHz laptop with 4GB of memory. Table ([T]) summarizes the results. We have consid- 
ered four classical mutex algorithms, namely Burns [4 1, compact [6| and refined lfT9l 
versions of Szymanski's algorithm, and the related Gribomont-Zenner mutex lfT4l (de- 
scribed in appendix). The algorithms respectively appear under rows (I,II,III and IV) 
in Table ([U. In all experiments, we used the same initial relaxation Vp for both for- 
ward and backward analysis, with p{q) = for each q in Q. For each instantiation 
and each algorithm, we give running times in seconds, the number of refinement steps, 
the number of generated counted words and the outcome of the analysis. For the last 
item, we write "?" to mean a trace was found by the over-approximated analysis, and 
write "y/" to mean unreachability (i.e., safety) is established. We allocate a budget of 
20 minutes for each refinement step, and write x in case the analysis exhausted the 
allocated time. We managed to establish mutual exclusion for the four algorithms us- 
ing the backward version of the generic scheme. In forward, we could establish mutual 
exclusion for both algorithms (I) an (II). The analysis exhausted its time budget for the 
two other algorithms. Backward analysis seems to profit from the fact that it starts from 
an upward closed set of configurations. Forward analysis does not have that advantage. 



We did experiment with non-approximated relaxations 
of the counters (i.e., simple accelerations). While this 
boosted performance, we do not report it in Table dl) 
since this does not strictly follow the scheme of Sec- 
tion (|4]l. Combining with more systematic accelerations 
instead of taking one step at a time can be the subject 
of a natural extension of this work. 



8 Conclusions 

We have introduced a new symbolic representation for 
the verification of parameterized systems where pro- 
cesses are organized in a linear array. The new repre- 
sentation combines counter abstraction together with 
upward closure based techniques. It allows for an ap- 
proximated analysis with a threshold-based precision 
that can be uniformly tuned. Based on the representa- 
tion, we implemented a counter example based refine- 
ment scheme that illustrated the applicability and the 
relevance of the representation, both for forward and 
for backward analysis. One direction of future work is 
to investigate more efficient and symbolic encodings. 
Another direction is to investigate the applicability of 
such ideas, where counting constraints still converge 
based on a well quasi ordering argument, to other prob- 
lems like parameterized systems with different topolo- 
gies (trees, graphs, etc) or heap manipulating programs. 
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Table 1. SCW based forward 
and backward analysis of mutex 
algorithms. 
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A Examples 



We describe in the following the mutual exclusion algorithms on which we experi- 
mented the generic scheme of Section ^ with §CW as symbolic representation. In 
all experiments, we used the same initial relaxation Vp for both forward and backward 
analysis, with p{q) = for each q in Q. 

A.l Burns mutex 

In this algorithm (Figl3]l, local states range over {q(i:o) , 9(2:0) 7 Qs-.o) } (modeling a state 
where a local flag equals 0), and g(3:i), 9(4:i), 9(5:1), 9(6:i), 9(7:i) } (modeling 

a state where a local flag equals 1). Each process interested in accessing the critical 
section checks twice to its left if there are other interested processes (i.e., with a flag 
set to 1). If there are, it returns to g^i. ) (transitions and tg). Otherwise, it continues 
(transitions t4 and tg) towards the critical section (modeled as state (7(6:i))- All processes 
at ^'(5:1) will successively access the critical section starting with the right most ones 
(transition tg). Mutual exclusion is violated in case more than one process is at state 

(9(6:1))- 
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f) ■ {cr'f,q(^6:i),crf)} 



Fig. 3. Bums algorithm, with counters cr^ — [vq^-^.g^ > 0) A ^5gQ\|mj o)}^^'' ~ ~ 
[A,e<3K > 0)1, and cr'f = [{v^^^,^^ > 1) A \eQ\{q^^.,^}{^, > 0)]. 



A.2 Compact version of Szymanski's Mutex 

This version |6| is represented in Figure (0). We flattened the original local boolean 
variables s, w and encoded their values in process states. These range over {go, • • ■ Qt}- 
The initial state is qo and models a process at its critical section. Processes that take 
transition t2 are guaranteed to eventually access their critical section. At transition ti, 
processes go to state q^ where they wait for processes at state qi,q2, if any. Otherwise, 
transitions and q^ are fired. Once a process is at state q^, no other process can fire t2, 
and all processes waiting at state q^ can get to state q^. After all processes that fired t2 
have gathered at state q^ they can get to state qg from which they can access the critical 
section qj with priority to the left most processes (ts)- 
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Fig. 4. Compact version of Szymanski's algoritlim [6], witli counters en = [(vq^j > 0) A 
\eQ\{qo}i^<i = 0)],cr/ = [^qeQ{vq > 0)], and cr'^ = [{vq^ > 1) A A,6q\{,^} > 0)]. 



A.3 Szymanski's Algorithm 

This version of Szymanski's algorithm comes from | |T9l . We flattened the local variable 
flag, which ranges over {0, 1,2,3,4}, by encoding its value in process states. The 
initial state is go. and the critical section is modeled by state qiq. 



Q = {go, gi, • • • gia} with: T = {ti, . . .tg} 
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Fig. 5. Szymanski's algorithm from |fT9l . with counters cr^ — [vqg > 0) A /^qeQ\{qo}{^q ~ 0), 
erf = A,gQ(u, > 0), and cr} = {vq^„ > 1) A AqeQ\{q,o}ivq > 0) 



A.4 Griboment-Zenner Mutex 

This algorithm [ 14] is also derived from Szymanski's algorithm (Fig|5]l- Its transitions 
are fine grained in the sense that tests and assignments are split in different atomic tran- 
sitions. After encoding variable values in process states, the process states in algorithm 
range over the set {qi, . . . qis}, where qi is the initial state and qi2 models a process at 
its critical section 
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Fig. 6. Gribomont-Zenner algorithm 1141 . with counters cr,: — [{vq-^ > 0)AAq^Q\iq-^}{vq — 0)], 

CTf = [AqegiVq > 0)], and Cr'j- = [{Vq^^ > 1) A Aq<.Q\^q^^y{Vq > 0)] 

B Proofs 
B.l Sections] 

Lemma 1 (reachability). A/gon'f/im (|7} always terminates. If it returns unreachabl e, 
then {Init — ^ Cp) does not hold for the parameterized system V — {Q,T). Other- 
wise, it returns a trace Cq ■ ti • ei • • • Cm with eg G Ei„it, Fig Ecp 7^ 0, and 
Ci+i € "^(post^^^^ (ci)) /or eac/z i : < i < to. 

Proof. Let Wfc and Vfc be the sets W and V obtained at (line (2)) at the fc*^ iteration of 
the loop. We can show the following four propositions by induction on k: 

a) for each (e, r) in Vk U Wt, r equals eo • <i • • • e„ for some n < k, with eo G Ejnit, 
and Bi+i S V(postj.^^ (e^)) for each i : < i < n 

b) /nit is subset of |Vfc] U |Wfc], and {c'| c — c' for some c € iVfc], t G T} (i.e., 
the successors of |Vfel) are in {Wkj U |Va;|. 

c) for each e in V, {e} Hg Ecp is empty 

d) the set {e| (e, r) G Vfc U Wfc} is minimal wrt i.e., for any e, e', neither e Cg e' 
nor e' Cg e holds. 

Base case: fc = 0. Propositions (a) and (c) are verified. Requirement (1) ensures propo- 
sition (b). For proposition (d), Ejnu is assumed to be minimal (otherwise choose any 
minimal subset of it). 

Suppose the propositions hold up to fc. We show they hold for fc + 1. Elements added to 
V need to fail the test at (line (4)). So proposition (c) holds. The test at (line (10)) and 
the conditions at (lines (11,12)) guarantee proposition (d). The form of the added tuple 
at (line (12)) ensures proposition (a). 

For proposition (b), we show that i) (Vk U Wkj C |Vfe+i U Wfe+i], and that ii) the 
successors of |ec] are also in |Vfc+i U Wfc+i] . The only modifications to Vk U Wk occur 
at (lines (11,12)). If e' is removed at (lines (11,12)) from V U W, then the conditions at 
(lines (1 1,1 2)) ensure that e Cg e'forsomee G A^ewf. The element e is added to VUW, 
hence {Vk U Wk] C {Vk+i U Wfe+i|. For condition (ii), observe that requirements (3. a) 



and (6) ensure that if c G [ej and c — >t c', then there is e' e Newt with c' e |e']. The 
conditions at (lines (10,1 1,12)) ensure that e' is added to V unless it entails an element 
in V U W. 

Partial correctness. Suppose the Algorithm returns unreachable. Then W was 
empty at some iteration. Combined with proposition (b), we get that |V] is a fix- 
point that includes all reachable configurations. Proposition (c) ensures that |V] D Cp 
is empty. If the algorithm returns (reach, r), then the test at (line (4)) ensures that 
{gc} rig Ecp is non empty. Moreover, (line (3)) together with proposition (a) ensure 
that r = eo • ii • ei • • • satisfies cq € i?/mt, e™ = Cc, and Ci+i G V(postj.^^ (e;)) 
for each i : < i < m. 

Termination. Suppose the algorithm does not terminate. That means we add an infi- 
nite number of elements to V. Consider a sequence (ei, 62, . . .) where each Ck is some 
element added at iteration k. Proposition (d) and transitivity guarantee that in this se- 
quence, i < j implies that %s Cj. Indeed, if ej for some i < j, then ^ Vj 
when Cj was added at (line (1 1)) to Vj. This means that was removed by some ele- 
ment Cfe added to Vk at a later iteration k : i < k < j such that efc e^. By repeating 
this reasoning, and transitivity of Cg, we deduce that Vj_i had an element ej-i such 
that Cj-i Cg Cj. Thus, ej should not have passed the test at (line (10)), and hence not 
been added to Vj . The existence of such an infinite sequence contradicts requirement 
(3.b) since, according to the computation at (line (8)), all elements in V are of the form 
V(e) for some element e. 

Lemma 2 (Refinement). Given a V-trace t = cq ■ ti ■ ■ ■ Cm with {cm} Hg Ecp 7^ 0, 
Algorithm (|2]l terminates. If it returns {reach, r), then there are cq, . . .Cm in C, with 
Co S Init, Cm & Cp and s.t. Ci — >ti.^i Ci+ifori : < i < m. Otherwise, it returns a 
stronger relaxation V' such that no relaxation V" that is stronger than V' can have a 
V'-trace c'q ■ ti ■ ■ ■ e'^ with {e^} fig Ecp 7^ and where Ci Cg e'^for i : < i < m. 

Proof. Termination is guaranteed by the fact that the number of iterations of the loop 
at (line (2)) is bounded by the finite size of the trace r, and that the other opera- 
tions are effective. The algorithm returns (reach, r) if it succeeds in building a se- 
quence (Currentm ■ tm-i ■ ■ ■ Currento) with Currentm — {em} Hg Ecp, and 
Currenti = {ej Hg {\JeeCurrenu+^P^^u+^ie)) for each i : < i < m, and 
Currento fig Ejnit 7^ 0. Requirements (2), (5) and (6) on prej(.) and on fig guarantee 
the existence of configurations cq, . . . c,„ with cq in ICurrentoj, and s.t. q — >ti+i 
c,;+i and Ci+i in ICurrenU+iJ for each j : < i < m. Suppose the Algorithm re- 
turns instead a relaxation operator V' such that there exists a V"-trace (eg • ti • • • e^), 
for some V" stronger than V', with cq Es Gq, {e'„^} Hg Ecp ^ 0, and e-^^ G 
V"(postj.^^ (e^)) with a+i Cg e'^^^ for each i : < i < m. This would hap- 
pen at line (5) or at line (11). If at line (5), then let Currentm, Currentm-i, ■■ ■ 
be the sequence of sets Current manipulated at each iteration. In a similar man- 
ner, build the sequence Current'm, Current'm-i, ■ ■ ■ that we would obtain from the 
V"-trace (bq ■ ti ■ ■ -e'm)- Requirements (1) and (6.b) guarantee that Current j Cg 
Current'^ for each j ■ < j < rn. The fact that Algorithm ^ returned at line (5) 



says that there isai:0<i<TO s.t. V' = S{post^,{si),Currenti+i,W) with 
(V'(post(. (ei)) rig Currenti+i = 0). Since e,; e'^ we deduce (requirement (6.b)) 
that postj.(ei) Cg postj.(e^), and hence (requirement (3.b)) that V"(post(. (e^)) Cs 
V"(postj. (e^)- Since Currenti+i Cg Current'^_^_^, we deduce (V"(postj. (e^)) □§ 
Current[^i = 0) as otherwise V'(postj. (e^)) rig Currenti^i ^ 0. If at hne (11), 
then V = S'({eo} , -E/mt, V), with V'(eo) Hg Einit = 0- Since eg Cg Bq, we deduce 
V'(eo) Cg V"{e'o) and{V"(e;„)}ng£;j„,t = 0. Hence r' wouldhave {e;„}ng £;c^ = 
0, which contradicts its definition. 

Theorem 1. Each iteration of the Algorithm depicted in Figure (|7]) terminates. If it re- 
turns unreachable, then Init Cp does not hold. If it returns {reachable, t), 
then Init Cp via the transitions in r. In addition, a false positive cannot be gen- 
erated twice. 

Proof. From Lemma ^ and Lemma (|2]i and the requirement that S returns a stronger 
relaxation operator 

B.2 SectionlH 

Lemma 3. For any fc € N, (Cfe , Ec) '■^ ^ well quasi ordering. In fact, from every infinite 
sequence (cri, cr2, . . .), we can extract an infinite subsequence {cri-^ \—c cvi^ \—c ■ . .)• 

Proof. Let (cri , cr2 , . . .) be an infinite sequence of counters. Fix a state q. If the number 
of counters for which cr„i [q] = {vq > b) (regardless of b) is infinite, then remove from 
the sequence all the counters for which crm{q) = [vq = b') for some b' . Otherwise, if 
the number of counters for which crm.{q) = {vq > b) (regardless of b) is finite, then 
there is a 6o < ^ such that the number of counters for which crm{q) = {vq = bo) 
is infinite. Keep those counters and remove all others from the sequence. By repeating 
this procedure for each state q in Q, we obtain a new infinite sequence of counters 
{crrai,cr,n2,. . .) for which, for any 6, cr„i^{q) = {vg = b) iff cr„^, (q) = {vq = 
b). Fix a state q for which cr„ii{q) — {vq > b). It is possible to extract from the 
sequence another infinite sequence (cr„j , cr„2 , . . .) such that if cr„^ (q) = {vq > bn^ ) 
and cr„ , (q) = (vq > 6„ , ) with Ua < Ua', then < bn ,■ By repeating this for each 
state q, we obtain an infinite sequence in which (cr^j C^w cr^^ Ecw • • ■)■ 

Lemma 4 (Well formedness). Assume a counted word ip = (/i, 91, ri) •••(/„, q„, r„). 

For each i : 1 < i < n, let p'4 = (((fi),, . and pi = ffw),. , A"^. Then: 

• Each li{q) equals {vq = (p[(<z))) or (vq > k) for some k in {0, . . . (p[(q))}. 

• Each ri{q) equals [vq = {p\{q))) or [vq > k) for some k in {0, . . . {p\{q))}. 

Proof. Well formedness requires, for each i : 1 < i < n, that ■_^] and 

fili^)^.^^ „]]■ 'The rest follows from the allowed predicates in the counters. 

Lemma 5 (Entailment). The relation C^w is both reflexive and transitive. In addition, 
if Ccw ^' implies \ip'\ C \ip\ 



Proof. Follows from reflexivity and transitivity of Cp. Also, if w ip' and c'' ip' 
then w 1='*°'' with o is function composition. 

Theorem 2 (WQO). For any fixed fc e N, the pair (CWfc, C) is a well quasi ordering. 

Proof. Higman's Lemma fTSl states that if (Z", ^) is a well quasi ordering, then the 
pair [S* ,^*) is also a well quasi ordering We let 17 = Cfc x Q x Cfc, and (Z, q, r) < 
{l',q',r') if / Cc /' and g = q' and r Cc r'. Observe that CWfc C S* , and that 
<* coincides with C^w- Hence, showing that (Z", ^) is a well quasi ordering estab- 
lishes the result. Lemma (O states that (Cfe, C^) is a well quasi ordering and that 
from every infinite sequence (cri, cr2, . . .), we can extract an infinite subsequence 
{cTi^ Ec cri2 . . .). Given an infinite sequence (li, gi, ri) , (^2, g2, ''2) , • ■ • we can 
extract an infinite sequence ((/„jj , qm^ , r„,^ ) , {1^2 , , ''ma ) , • ■ •) in which qm^ = 
q„i^ for all a ^ h. We use Lemma (|3]l to deduce the existence of an infinite sequence 

((^rii : Q_ni : '"ni ) (^n2 i 'Jna i ''"2 ) — • • ■)■ 

Lemma 6 (Strengthening). Given a well formed word ip, the strengthening procedure 
terminates and yields a unique well formed word p>' s.t. \ip\ ~ \'~p'\ and p Ecw <y5'- 

Proof. Sketch. The rules of Figure (|5} only strengthen the counters. Hence, ip Ccw 'p' 
and \p\ D \ip'\. We first show that the rules of Figure (|5} preserve denotation. We 
describe the cases left and right. The two other rules are symmetric. Suppose the 
counted word p} can be written both as the concatenation p}p ■ {l,q,r) ■ (l', q' , r') ■ ps 
and as the concatenation qi ■ q2 ■ ■ ■ qn, with i ~ \pp\. If w in Q* verifies w \—'^ p, then: 

W[h(i+1)] = q, '"^[/i(i+2)] = + ''('«[l,/i(j+2)-l])> 

and ?''(u'[/j(i+2)+i.n])- Well formedness of p and the allowed predicates in the counters 
(Lemma (|4|i) ensure that ). Therefore, /' Gc crq(it;[i So both I 

and I' accept and rule left does not affect denotation. In addition, r' ®c 

CTqi accepts (w[/i(i+2),„]) and V Qc {l®ccrq) accepts (t«[/i(i+i)+i,/,.(i+2)-i] )■ So r' (Be 
crq' I'ec {I ®ccrq) accepts (u;[/i(i+i)+i,/i(i+2)-i] ) • (w[/j(i+2),n] )■ As a result, both r and 
r' ®ccrq'l' Qc {l ®ccrq) accept (u)[,j(i+i)+iji(i+2)-i]) • (w[?i(i+2).n]) and rule right 
does not affect the denotation. Observe that with a similar reasoning, we get that the 
rules preserve well formedness. By induction we get that {pj C {p'j. Termination can 
be obtained as follows. At each rule, manipulated and obtained counted words are well 
formed. Using Lemma (|4]i, we deduce that all counters belong to a finite lattice in which 
rules are monotonic functions that strengthen a counter and keep the others unchanged. 
Unicity can be obtained by contradiction. Suppose two different counted words are 
obtained as strengthenings of the same well formed counted word. The words can only 
differ in their counters. Pick different corresponding counters. Given the allowed forms 
for the predicates (Lemma (|4)), we deduce that at least one predicate associated to some 
state is strictly stronger in one of the counters. If we apply to the word with a weaker 
predicate, the sequence of rules that were applied to the word with a stronger predicate, 
we would get a strictly stronger predicate. This contradicts having reached a fixpoint 
for the counted word with a weaker predicate. 

' With ai ■ ■ ■ an ^* o-[ ■ ■ ■ cr^ iff there is a strictly increasing h -.n ^rn with at ^ '^h(i) 



B.3 Section|6] 



Lemma 7 (Relaxation). Given f in CW and resolutions p C p' , we have: Vp(i^) Ecw 
Vp' {f) Ecw ^ and V p{ip) is in §CWma2:(o,2fc-i) with k = max {p{q) \ q in Q}. 

Proof. Sketch. Without strengthening, k is the highest precision for the counters in 
p Q p, and the lemma clearly holds. Using a similar reasoning to the one used for prov- 
ing unicity of the strengthening result, we can show that Vp(iy9) Ecw Vp' {tp) Ecw f- 
Indeed, if for example V p{if) Vp' {(f), then there is a counter cr' in Vp' ((p) that 
does not entail a corresponding counter cr in V p{if), i.e., cr cr'. This is not pos- 
sible. Indeed, before strengthening, V p{^p) and Wp'{ip) are both well formed with the 
same base and strengthening in Vp' {(p) starts with stronger counters than the corre- 
sponding ones in V p{if) . By applying to Wp'{ip) the sequence of strengthening rules 
used to strengthen W p{ip), we obtain a cr' that is at least as strong as cr. In addition, 
strengthening cannot introduce arbitrary precision. The strongest precision 2fc — 1 (for 
k > 1) derived by strengthening is obtained when both left and right counters in some 
tuple (/, q, r) associate the predicate Vq ~ [k — 1) with the state q. In fact, one can show 
by induction on the number of applications of the strengthening rules (of V p{tf)), that 
for any state q' , k{1 (Be cfq ©C '')('Z') ^ max{Q, 2k — 1) is an invariant for each tuple 
{l,q,r). 

Lemma 8 (Post and Pre). Given a strengthened word ip and a transition t we can 
compute a set of words post).{(p) (resp. pre^{if)) such that postf.{(p) Qcw postf{(p') 
(resp. pre^{ip) Qcw f^tiv')) 'f V !^cw 'p'- In addition, \post^{tp)\ and \pre^{lp)\ 
respectively equal {c'| c — >t c' with c in |(^]}, and {c'| c' — S-f c with c in \^pY\. 

Proof. The construction is given in Section (|6]l. 

Meet of two counted words. First, we introduce a number of notations. Let m, u, u', v' 
be counted words in CW. We write /i^, to mean a strictly increasing injection from \u\ 
to Given two injections /i^ and K"^,, we also write /i^*^' to mean the mapping that 
sendsito/i^(i)ifi e {1, . . . and to /i^^', (i- |w| if i € + 1,... |u| + \u'\} . 
We will make use of Definition ([T]) in order to prove partial correctness (Lemmata (II 119b ) 
Definition ([l]) describes conditions for a tuple [w, [u : v), {u' , v')) to be good wrt to 
injections h'^ and /i™,. Roughly, if a tuple {w, {u : v), (u', v')) is good wrt /i™ and /i™, 
then w \='^^ u and w |=''u' u'. Moreover, if such a good tuple is supplied to the zip 
procedure, then all recursive calls will have as arguments good tuples whose associated 
injections extend (in a sens that will be made clear in Lemma (fTTl i) ft,™ and h^,. 

Definition 1 (Goodness). Given counted words w, u, v, it', v' and injections /i™, h^,, 
we say the tuple {w : {u,v) : {u',v')) is (/i^, h'^,)-good, //■/i^(H) U h'^AWl) = H 
and the following holds for each j : 1 < j < \w\: 

1. ifK{i) = i K'iW\)- Define i' = max {0} U {k\ h'^,{k) < j}. Then: 

(a) {ui)^^ e cxt{rc{u\i,,,^)) n cxt{lc{u' [i, +i,\u'\] ■ v')), and 

(b) Wj = Ui. 

2. ifh^{i) = h^,{i')^j,then: 



(a) lc{ui) ric lc{u[,) 7^ ±c andrc{ui) He rc{u^,) ^ ±c, and 
(bj Wj = {lc{ui) nc_k(u-,), (ui)^t,rc(ui) He ^(u-,))- 
3. if h^,{i') = j ^ ''•m (1^1)' similar to the first case with i, u, v, i' , u' , v' respectively 
replaced by i' , u' , v' , i, u, v. 

Lemma ( fTTT i establishes that given a good tuple (z : {p, s) : {p' , s')) as argument, the 
procedure zip computes all counted words that entail {p ■ s) and {p' ■ s') and that have 
z as prefix. 

Lemma 11 (zip correctness). Given an {hp,hp)-good tuple (z : {p, s) : (p',s')), 
the procedure zip(z : (p, s) : {p' ,s')) computes all counted words z ■ z' such that 
{z-z':{p- s, e) : {p' ■ s', e)) is {h;',! ,h;r,i,)-good. 

Proof. Sketch. For termination, use |s| + |s'| as a ranking function. For partial correct- 
ness, proceed by induction on \s\ + \s'\ to show that if claim (|5]l holds then claim ^ 
also holds, where claims (|5]l and (|6]l are given by: 

(z : (p, s) : (p', s')) is (/ip, /ly )-good. (5) 
zlp(z : (p, s) : (p', s')) = | z • z' | (z • z' ; (p • s, e) : (p' • s', e)) is {h^H , /ip'^s' )^good} (6) 

Base case: assume \s\ + \s'\ = 0. Among the guards at lines (2,5,9,12) only the guard 
at line (12) is enabled. The procedure zip(z : {p, e) : {p' , e)) returns {z} at line (13) 
for which (z : {p, e) : {p' , e)) is {h^, /ip,)-good by assumption. 

Induction: suppose Lemma [TT] holds for all (Zip, /ip,)-good tuples (z : {p,s) : {p',s')) 
with \s\ + \s'\ up to uq. Assume claim (|5j is true with \s\ + \s'\ = (no + 1). We show 
claim (|6|l holds. We first consider the case where both s and s' are non empty. 

C) Suppose z" E zip(z : {p, s) : {p' , s')). By assumption, among the guards at lines 
(2, 5, 9, 12), only the last one is disabled. By definition of the Procedure (|zip), z" 



has to be obtained from one of the following calls to Procedure ( zip i: 

i) The call to Procedure (jzlpjl at line (4). We describe why it is the case that 
{z-hd{s) : {p-hd{s),tl{s)) : (p',s'))is /i;;'''^(^^)-good. For each 
J : 1 < J < conditions of items 1,2,3 in Definition ([T]i are guaranteed 
by claim (|5]l. For j = \z\ + 1, item (1) in Definition ([T]i requires (wi)^j G 
cxt{rc{u' [i^i,])) n cxt{lc{u'[ii+i,\u'\] ■ v')), and Wj = Ui. This is guaran- 
teed by the condition at line (3) which ensures that hd{s), p' and s' (respec- 
tively playing the roles of Wj, and • w') satisfy {hd{s)^^ € 
{cxt{rc{p'))r\cxt{lc{s')))). We can apply the induction hypothesis since |t/(s)|- 
|s'| = no and obtain that z" = z ■ hd{s) ■ z'" with {z" : (p • s, e) : {p' ■ s', e)) 

/7 z»hd(s)»z"' 7 z-hd(s)9z"' \ j 

ii) The call to Procedure ( |zip) at line (8). We explain why it is the case that (z • e : 
{p-hdis),tl{s)) : {p' ■ hd(s'),tl{m is (/^-L(,),/.-\,(,,))-good. For each 
i : 1 < i < conditions of items 1,2,3 in Definition ([T]i are guaranteed by 
claim (|5]l. For j = [z] + 1, item (2) in Definition ^ requires that both lc{ui)n£ 
lc{u'^, ) and rc{ui)\lic rc^u'^, ) are different from _Lc- In addition, it requires that 
Wj = {lc{ui) ric lc{u[,), {ui)g^,rc{ui) ric rc{u^,)). This is guaranteed by the 



condition at line (6) that ensures that {lc{hd{s)) He lc{hd{s')) ^ _Lc) ™d 
{hd{s)^^ — hd{s')^^) and {rc{hd{s)) Flc rc(c') ^ _Lc) and the assignment at 
hne (7) which ensures that 

e ^ {lc{hd{s)) He lc{hd{s')),hd{s)^^,rc{hd{s)) He rc{hd{s)')) 

Here, e plays the role of Wj, hd{s) the one of Ui, and hd{s') the one of m^/. We 
can apply the induction hypothesis since \tl{s)\ + \tl{s')\ = no — 1 and obtain 

that = z-e-z'" with ■.{p-s,e): {p' ■ s' , e)) is (I^^i) > h-'J'^'"' 
good. 

• The call at line (11). Replace p and s by respectively p' and s' in the first case. 
Consider a z • z' where (z • z' : {p ■ s, e) : {p' ■ s', e)) is (/ip*f , h^*^si)-gooA and 
(z : (p, s) : (p',s')) is (/i^, ft,p,)-good. We want to show that z • z' is among 
the values returned by zip(z : {p,s) : {p',s')). Definition ([T]l guarantees that: 
= Kls i¥^\) U h;r:l, (F^) and R = h;(\f\) U (M)- Hence, the 
word z' is not empty since s ■ s' ^ e. Let j = |z| + 1, we have (z ■ z')j — z[. We 
know J e h;:i' u /i--; iW^l). Since R = /^^(R) U h;, (H), there are 

three cases: 

i) j = KIsHpI + 1) and /i;r.<,(b'|) < J < h;r:U\p'\ + l)- TWs corresponds 
to the item (1) in Definition ([T]). Here, z[ — {z ■ z')^z^j^i is playing the role of 
Wj, {p ■ s)|p|+i — hd{s) the one of Ui, \p'\ the one of i', p ■ s the one of u, 
p' ■ s' the one of u', and e the one of v and v' . As a result, the condition (2) of 
Definition ([T]) which states that {uj)^^ G cxt{rc{u' [i^ii])) n ca;t(k(w'[i'4.ij„'|] • 
v')) guarantees that the guard at line (3) will be satisfied. zip(z : {p,s) : 
(p', s')) will therefore call z ip {z ■ hd{s) : {p ■ hd{s),tl{s)) : (p', s')) which 
satisfies the induction hypothesis (since \tl{s)\ + \s'\ = tiq) and returns all 

(ft-pls'^^"-'"' , /ipTj^^f ■''"^ )-good tuples (z • hd{s) ■ z" : {p- s,e) : {p' ■ s', e)). 
Hence, it will also return z • z'. 

ii) j = hpll' {\p\ + 1) = h^?^l,{\p'\ + 1). This coiTesponds to the item (2) in Defi- 
nition ([T]l. Here zi = (z • is playing the role of Wj, {p-s)^p^^i = hd{s) 
the one of Ui, {p' ■ s')|p/|_|_i — hd{s') the one of u'^, and e the one of v and 
v'. As a result, the condition (2) of Definition ([U states that: both lc{ui) Flc 
lc{u'^,) and rc{ui) Flc rc(u[,) are different from _Lc; and that Wj = {lc{ui) ric 
lc{u^i),{ui) g^,rc{ui) ric rc{u\,)). This guarantees that the guard at line (8) 
will be satisfied, and that the computed e at line (9) equals Wj. zip(z : (p, s) : 
(p',s'))willthencallzip(z-e : {p ■ hd{s),tl{s)) : {p' ■ hd{s'),tl{s'))) v/hich 
satisfies the induction hypothesis (since \tl{s) \ + \tl{s')\ — uq — I) and returns 
all (/ipir^", /ipr,^*^")-good tuples (z • e • z" : (p • s, e) : {p' ■ s', e)). Hence, it 
will also return z • z'. 

iii) j = /ip'.^s'dp'l + 1) and h^^H' {\p\) <j< h'pH' i\p\ + 1). Symmetrical to the 
first case above, with lines (10) and (11) playing the role of lines (3) and (4). 

The cases where one of s,s' is empty are similar to taking one of (i) or (iii) in each of 
the C and D directions. 



Lemma (|9|l uses the result of Lemma ( fTTT i in order to establish that the result of z ip(e 
{e,ip) : (e,</3')) exactly captures {(fi] n |(^']. 



Lemma 9 (intersection). Given Lp,(p' in SCW, zip(e : (e, v^) : (e, V^')) returns a set 

{(pi, . . . ipn} s.t. {(pQcwVi)' {(p'^cwVi) for each i e n, andUi i„nl(pij {(fij D {ip']. 

Proof. Thetuple(e : {e,ip) : (e. (f')) is good wrt. the empty injections h^. h^. Lemma (fTTTi 
states zip(e : (e, i^) : (e, (^s')) returns / = {z\ (z : {ip,e) : {ip',e))is {h^,h^,)-good}. 

Observe that Definition ([TJ guarantees each z satisfies {ip \Z^^v'' z) and {ip' \z'''^f'^ z). 
Hence, \z\ C \ip\ n - Moreover, assume a word w — Wi - ■ ■ Wn Va Q* verifies both 
{w \—'^ p) and {w ip'). We exhibit a counted word z in / such that w G {zj. We 
let w' = ■ ■ ■ Wa„i be the word obtained by only keeping in w those indices that 
belong to the union of the images of h and h' . More precisely, for each fc : 1 < fc < m, 
we keep Wa^ iff £ h{\(p\) U h'{\ip'\). This defines an injection h" : \w'\ — )• \w\ 
with h"(k) = ak for each k e In the same context, we define the injections 
{h^') : M M and {h^',) : p| H with = k when h{i) = ak for 

each i g \ip\, and {k^, — k when h'{i') = ak for each i' e \ip'\. Observe that by 

construction and well formedness of and p\ both {w' •* (p) and (w' |= -* 1^9') 

hold. Back to Definition ([T]l. Let z be a counted word with z_ ^ w' and such that the 
tuple {z : (95, e) : {ip',e)) is (ft,™ )-good. The word z is well defined because 

{w' ) ^) and {w' ^^''"'^ (^')- Also, w h''" 

z as otherwise, by construction of z, 

w p 01 w ^''^ p'. 

Lemma 10 (separation). A^wMwe zip(e : (£,1^3) : (e, lys')) returns an empty set. If 
zip(e : (e, V p{ip)) : (e, p) : (e, p')) in Procedure \augzip\ retums the pair (_, avoid), 
then any resolution p' that satisfies {avoid[p'\) ensures 7.±p{e : (e, Vp^„^ ((/s)) : {t^p'))) 
returns the empty set, with Pmaxio) = max{p{q) , p' {q)) for each q in Q. 

Proof. Sketch. Suppose (avoid[p']) holds but a counted word z is still returned by 
zip(e : (e, Vp,„^^ (93)) : (e, (p')). By construction of Procedure augzip the formula 



avoid has to imply the disjunction over the results of (reasons (Oi) ), where Oi 
captures the sequence of tests that need to be validated in order to add z to zip(e : 
(e, V p{p)) : (e, p')). Since p' satisfies the disjunction, at least one of the tests will have 
to fail when trying to build z in zip(e : (e, Vp^^^ {p)) : (e, 1^')). Failure of the test is 
guaranteed since relaxation ensures that the precision of a counter in Vp^^^ (p) is larger 
or equal (in the multiset sense) than the one of K(Vp' (cr)), which is already sufficient 
to fail at least one of the tests required to generate z and captured by Oi. 



